sFLOW v5 original header alignment issue
484 views
Skip to first unread message
Pavel Odintsov
Feb 17, 2016, 4:28:58 PM2/17/16
to sFlow
Hello, folks!
I'm trying to implement sflow agent in C++. I've implemented it according official documents and standard.
But I hit very interesting issue. I tried to build sflow packet with length of 78 bytes (not multiple to 4 bytes). And tshark / wireshark fails to parse it with following errors:
InMon sFlow
Datagram version: 5
Agent address type: IPv4 (1)
Agent address: 127.0.0.1
Sub-agent ID: 1
Sequence number: 1
SysUptime: 2373236000
NumSamples: 1
Flow sample, seq 1
0000 0000 0000 0000 0000 .... .... .... = Enterprise: standard sFlow (0)
.... .... .... .... .... 0000 0000 0001 = sFlow sample type: Flow sample (1)
Sample length (byte): 134
Sequence number: 1
0000 0000 .... .... .... .... .... .... = Source ID class: 0
.... .... 0000 0000 0000 0000 0000 0101 = Index: 5
Sampling rate: 1 out of 2048 packets
Sample pool: 12312323 total packets
Dropped packets: 0
Input interface (ifIndex): 1
.000 0000 0000 0000 0000 0000 0000 0010 = Output interface (ifIndex): 2
Flow record: 1
Raw packet header
0000 0000 0000 0000 0000 .... .... .... = Enterprise: standard sFlow (0)
Format: Raw packet header (1)
Flow data length (byte): 94
Header protocol: Ethernet (1)
Frame Length: 78
Payload removed: 0
Original packet length: 78
[Malformed Packet: sFlow]
[Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
[Malformed Packet (Exception occurred)]
[Severity level: Error]
[Group: Malformed]
After some research I've found following comments inside wireshark's sflow dissector:
if (header_length % 4) /* XDR requires 4-byte alignment */
header_length += (4 - (header_length % 4));
Then I've changed my original packet header captured size from 78 to 76 bytes (2 removed bytes). And my issues become solved!
But actually I could not find any requirements of alignment for 4 byte bounds in sflow standard. Could you help me?
Peter Phaal
Feb 17, 2016, 4:42:35 PM2/17/16
to sFlow
sFlow uses XDR as the serialization protocol, page 24, sFlow Version 5
(http://sflow.org/sflow_version_5.txt). The sFlow sampled_header
structure defines the captured header bytes as opaque header<>.
If you look at the XDR spec, padding to a four byte boundary is added
when serializing a variable length opaque structure,
https://tools.ietf.org/html/rfc4506#section-4.10
There are open source sFlow agent implementations you might want to reference:
http://sflow.org/developers/tools.php
https://github.com/sflow/host-sflow
> --
> You received this message because you are subscribed to the Google Groups
> "sFlow" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to sflow+un...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
(http://sflow.org/sflow_version_5.txt). The sFlow sampled_header
structure defines the captured header bytes as opaque header<>.
If you look at the XDR spec, padding to a four byte boundary is added
when serializing a variable length opaque structure,
https://tools.ietf.org/html/rfc4506#section-4.10
There are open source sFlow agent implementations you might want to reference:
http://sflow.org/developers/tools.php
https://github.com/sflow/host-sflow
> You received this message because you are subscribed to the Google Groups
> "sFlow" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to sflow+un...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Pavel Odintsov
Feb 18, 2016, 11:07:44 AM2/18/16
to sFlow
Hello!
Thank you so much! That's best possible answer! :)
Reply all
Reply to author
Forward
0 new messages